Microsoft disrupted a large-scale campaign by Vanilla Tempest involving fake installers for Microsoft Teams, which used compromised code-signing certificates to deliver ransomware and backdoors. The campaign exploited trusted signing infrastructure and relied on social engineering, SEO poisoning, and legitimate certificate authorities to evade detection. #VanillaTempest #Rhysida #ViceSociety #CodeSigningCertificates
Keypoints
- Microsoft revoked over 200 certificates used by Vanilla Tempest to sign malicious binaries.
- The group used counterfeit Teams installer domains and search-engine poisoning to infect users.
- Fake installers delivered the Oyster backdoor, enabling data theft and lateral movement.
- Vanilla Tempest has targeted sectors like education, healthcare, and manufacturing with ransomware families.
- Detection strategies include monitoring unusual certificate activity, suspicious network connections, and unfamiliar process trees.
Read More: https://thecyberexpress.com/microsoft-disrupts-vanilla-tempest-campaign/